From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 23 Jan 2022 16:56:10 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.300~119
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73f1b1b6fb98d48c7303c6d425ed4107b6e22a5f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	drm-etnaviv-limit-submit-sizes.patch
	iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch
---

diff --git a/queue-4.9/drm-etnaviv-limit-submit-sizes.patch b/queue-4.9/drm-etnaviv-limit-submit-sizes.patch
new file mode 100644
index 00000000000..1ed52d1e957
--- /dev/null
+++ b/queue-4.9/drm-etnaviv-limit-submit-sizes.patch
@@ -0,0 +1,48 @@
+From 6dfa2fab8ddd46faa771a102672176bee7a065de Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 17 Dec 2021 11:59:28 +0100
+Subject: drm/etnaviv: limit submit sizes
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream.
+
+Currently we allow rediculous amounts of kernel memory being allocated
+via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put
+some reasonable limits in to fix this.
+
+The commandstream size is limited to 64KB, which was already a soft limit
+on older kernels after which the kernel only took submits on a best effort
+base, so there is no userspace that tries to submit commandstreams larger
+than this. Even if the whole commandstream is a single incrementing address
+load, the size limit also limits the number of potential relocs and
+referenced buffers to slightly under 64K, so use the same limit for those
+arguments. The performance monitoring infrastructure currently supports
+less than 50 performance counter signals, so limiting them to 128 on a
+single submit seems like a reasonably future-proof number for now. This
+number can be bumped if needed without breaking the interface.
+
+Cc: stable@vger.kernel.org
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
+@@ -325,6 +325,12 @@ int etnaviv_ioctl_gem_submit(struct drm_
+ 		return -EINVAL;
+ 	}
+ 
++	if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K ||
++	    args->nr_bos > SZ_64K || args->nr_pmrs > 128) {
++		DRM_ERROR("submit arguments out of size limits\n");
++		return -EINVAL;
++	}
++
+ 	/*
+ 	 * Copy the command submission and bo array to kernel space in
+ 	 * one go, and do this outside of any locks.
diff --git a/queue-4.9/iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch b/queue-4.9/iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch
new file mode 100644
index 00000000000..49eb1cb6132
--- /dev/null
+++ b/queue-4.9/iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch
@@ -0,0 +1,40 @@
+From ced50f1133af12f7521bb777fcf4046ca908fb77 Mon Sep 17 00:00:00 2001
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Fri, 10 Dec 2021 09:06:21 +0200
+Subject: iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+commit ced50f1133af12f7521bb777fcf4046ca908fb77 upstream.
+
+With the introduction of 6GHz channels the scan guard timeout should
+be adjusted to account for the following extreme case:
+
+- All 6GHz channels are scanned passively: 58 channels.
+- The scan is fragmented with the following parameters: 3 fragments,
+  95 TUs suspend time, 44 TUs maximal out of channel time.
+
+The above would result with scan time of more than 24 seconds. Thus,
+set the timeout to 30 seconds.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211210090244.3c851b93aef5.I346fa2e1d79220a6770496e773c6f87a2ad9e6c4@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -1260,7 +1260,7 @@ static int iwl_mvm_check_running_scans(s
+ 	return -EIO;
+ }
+ 
+-#define SCAN_TIMEOUT 20000
++#define SCAN_TIMEOUT 30000
+ 
+ void iwl_mvm_scan_timeout_wk(struct work_struct *work)
+ {
diff --git a/queue-4.9/series b/queue-4.9/series
index b14013e3c29..e9d52f427fc 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -117,3 +117,5 @@ scsi-sr-don-t-use-gfp_dma.patch
 asoc-mediatek-mt8173-fix-device_node-leak.patch
 power-bq25890-enable-continuous-conversion-for-adc-a.patch
 ubifs-error-path-in-ubifs_remount_rw-seems-to-wrongly-free-write-buffers.patch
+iwlwifi-mvm-increase-the-scan-timeout-guard-to-30-seconds.patch
+drm-etnaviv-limit-submit-sizes.patch